Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Even if they went along with this "service", all it takes is one of the Four Horsemen of the Infoclypse (as Tim May put it) to rear their ugly heads through the connection, and the ISP will either stop running the station, or make sure they have thorough logging.

After reading TFA: They do not assume that your ISP has this "station", only some ISP. You tag your https request to some unblocked site by using public key code encryption to indicate that you want a secure anonymous connection. When your request packages are routed you might hit a router from an ISP who runs such a "station". This router may identify the tag and and if so, the "station" answers the request by setting up an encrypted between itself and the user (you) who can then use it like a proxy. In other words - the headline is wrong, because you still use a proxy, the only difference is that the IP of the doesn't need to be publicly known. Instead, you need to know the public key of a (group of) station(s) and hope that the traffic gets routes to pass through one of these.

True, but the traffic has to come from somewhere outgoing, and pretty much the ISP will be in hot water unless they have some address to cough up, be it a node previous in the chain, or an actual person. Same problem happens with TOR exit nodes, which is why there are so relatively few of them.

This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.

However, this is a fairly good idea. You just have to limit the scope of this to HTTPS requests that come from countries which engage in censorship. So while it is not for American or EU citizens to use for anonymity, it could be quite useful to Pakistan, China, Australia, etc.

> This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say> that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.

1) it needs to change their network to route the HTTPS request to pass through the "stations"2) if the ISP is discovered, it's very likely that it would be blocked by the censoring governement.

IMHO a good idea would be first to implement "Telexed website": it can be blocked as any website, but at least users who would use the Telex-proxy of the website would be "anonymous"(*) among the normal users of the website.

Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze

Worse than that, the ISPs would have to perform deep packet analysis and attempt decryption on every HTTPS connection going though their core routers. Any design that depends on increasing CPU load on core routers by at least an order of magnitude just isn't going to work.

Also the system relies on ISPs, many of them, keeping the magic private key secret from whoever the censor is. That's much too risky to bet your freedom on.

The bad assumption is that government controlled ISPs in said censored nations won't make their own Telex nodes and just intercept traffic before it reaches the web at large. The really bad assumption is that other ISPs between the end user and the fake destination will have Telex nodes to do the dirty work. This method seems to be screaming MITM me.

I don't think just any node could interpret the message. It would be built specifically for the node they are using. It also doesn't imply anything about not using other security. The telex message could be (and probably should be) an encrypted communication, so the telex node would just know where it's going, not what it means.

Basically, all this does is allow any website to act as a proxy without being obvious that they're a proxy. It's an interesting idea, but I don't think it has any chance of working. Governments will identify possible nodes through either technological means or just good old "social engineering" (snitches) and simply shut off all access to those sites. Or they'll take it a step further and restrict all sites except for a whitelist.

That was my first thought too, but I think the fact that they use https connections to real websites, and that the boxes use a private key, should mean that the government box wouldn't work unless they got access to the private key. I'm still not sure if it would work well in practice, but at least this aspect shouldn't be a problem.

A different way to look at the assumption is, the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.

And the telex client software will change the public keys used to sign the encrypted requests periodically via some update mechanism. This will ensure that ISPs that had claimed to be anti-censorship earlier to get hold of telex boxes with private keys can not turn on their censor filters later and use the old telex boxes to intercept t

If I recall correctly, its primary claim to fame in the 80s was having both a decent zmodem download client built in, and zmodem autostart. Also I liked its phonebook menu, which neatly held all the BBSes I called. And it had a nice redialer.

It was pretty much the ideal terminal program in the pre-windows era.

Procomm was about as good, and had a nicer scripting language, but they wanted a huge amount of money for it.

Apparently in some countries Telex has a legal status that other communications don't neccesarily have. I'm guessing it's been judged to be evidence of a contract since it is reasonably well authenticated.

eg: "We sent you a Telex ordering N tons of commodity Y by date X and received a confirmation from you." would be admissible in court as a signed contract.

You don't. You rely on one ISP between your dodgy ISP and the censored site you actually want to visit. If there's a friendly ISP on the route, you'll get your traffic diverted to the desired server, and if not, you'll get the traffic you actually requested (which is unblocked by the censoring government).

Not the same ISPs. ANY ISP that is on the traceroute to uncensored websites allowing https.

And the local ISP won't even know there is anything special with the network traffic as this uses public steganography in encrypted data streams.

Only somebody who has the private key can know the data are "special". So the only remaining attacks on this are:- steal a private key from a trusted organization- spoof a private key (Bad people can create the "TRUSTME" service, get people to trust it and spy on them)- block

> Okay, so we rename the proxy a "station" and now we can call it proxy-less?They should have named these stations "hidden proxy", because the difference between these "stations" and normal proxys is that users don't have to connect to a proxy IP address as the "Telex ISPs" redirect all the HTTPS connexions requests through these "Telex stations".

It becomes much more difficult for the censoring government to detect who is trying to escape the censorship..

The difference is that it would not be dependent on the end point site supporting it (in which case the end point site would simply be blocked for supporting it). Instead, it moves the redirect down a level and makes it blend in with a normal HTTPS connection. When it passes over a Telex enabled router, it gets changed out and redirected. The primary problem I see with the system is that all a censor has to do is get the magic box on their own routers and suddenly they can see the traffic and tell where

What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

The point is to signal that they're noobs hence not to be trusted with sensitive traffic.

I've got an idea, how about freenet and/or i2p? That might work. With namecoins for domain registration? Naah I'll never get that past the NiH filter.

My favorite part about freenet and i2p is "recently" at least on headless linux boxes, they could be installed together, but having made the mistake of being implemented in Java, one sort-required a very specific version of the official sun JRE and the other required an

What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

I think that this answers your question (from TFS)

a scheme that hides the fact that the users is even trying to communicate at all.

If there was One World Government, then yes. As it is, governments such as the United States have an interest in foiling the censorship efforts of other governments such as Iran or China. Thus, key state support to circumvent state-level censorship is hardly unreasonable, at least for a fairly large subset of state-level censorship that's out there.

If you have to have something running which will reroute the packets, isn't that effectively a proxy? This is just a different way of accessing the proxy. Not only that but the proxy needs to be running in the network path for the packet, when the routing isn't even guaranteed to be always the same. Would this even work outside a lab?

And I also would like to sell you this bridge I recently acquired in Brooklyn. It's totally not the right time for me to be owning a bridge.

But seriously, who is going to trust this system? It creates an enormous incentive for intelligence agencies to infiltrate as many major ISPs as they have to in order to capture the traffic and/or compromise the keys--if they haven't already infiltrated the project to parallel develop a compromised version of the product that feeds the keys straight to the CIA so that t

In the West, certainly not. In China or Iran, however, I could see the government banning encrypted traffic. I'm a bit surprised they haven't already. At the very least, ban HTTPS and replace it with some other cryptosystem to which they hold the keys. It prevents them from foreign logins, but I thought they'd be OK with that.

Somehow, I think nesting myself (needle) in a haystack (Tor network) would be safer than routing through set stations.
At the end of the day, this sounds like dumbing down the tools we already have so common users can take advantage of them without learning the procedures. I wouldn't normally have a problem with protecting Anonymity, but I think in this case I'm going to say no. ISPs aren't going to bother with this, especially in countries and areas where governments have complete control over such matter

You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?

Crypto nerds are like hippies but without that strong grasp of the realities of this world.

This "idea" relies on the fact that internet traffic is routed through several places on its way. They idea is that on one of these ways, the traffic will be read and if a magic bit is detected, it will re-route this traffic to somewhere else, making it possible to do a request for google.com with a magic bit set (which I can only presume is some magic bit that won't be bloody obvious for not fitting in the very well

What an overly complex bogus system. It will require tons of ISP's to cooperate to get this to work. We might as well install an SSL proxy at the border and tell the Chinese the whole world is reachable over the proxy IP only. Take it or leave it.

Year after year we see all these awesome developments which probably cost a ton but I've never heard of one really taking off. Meanwhile the Chinese are simply using commercial VPN providers or brewing their own on $3/month VPS servers.

Imagine...a significant portion of the people trying to avoid monitoring of their online activities getting routed automatically through your very own Telex "station" to your own poisoned 'proxy' service, allowing full monitoring of traffic that the end user thinks is secure...

Really, there seems to be no way for the end user to verify that the Telex "station" that reroutes their request is legitimate. So instead of using peer-verified, trusted proxies, they cast their dirty laundry out on the interwebs an